API Authentication and Permissions

OverviewGuesty's platform API allows you to query the Guesty's API according to your token permissions.The API enables integrator to create, update and delete data in various objects such as Users, Listings, Calendars, Reservations, Hooks, Guests and many more.Integrator access is limited by permissions provided during the initial set up (between Guesty and the integrator).This page covers the initial setup phase, API authentication process and available permissions in high level.

Internal integration: available to all of Guesty's users via the dashboard. Allows users to create internal API tokens. To read more about internal integrations visit the API tool kit help page. Internal integration tokens has complete access to the Guesty API in the scope of the data of that user, and therefore should never be shared with any external services.

3rd party services and partners: any service provider that is interested in integrating their service into Guesty's marketplace and by that offer their service to Guesty users, is welcome to contact us at product@guesty.com. Following a validation of the business value for Guesty users, the service provider will be granted with the required permissions for the integration implementation.

AuthenticationGuesty's API uses basic auth which requires the integrator to authenticate requests using a token composed of an API key ID and an API key secret.

Guesty generates the token for each integrator when a user chooses to connect to a services available on the integration marketplace.

At this point it's the integrator responsibility to get the token from the user.

The integrator uses the token in all API requests.

As long as the token is valid (the user didn't disconnect from the service or created a new token) - Guesty will respond to API requests with the requested data.

PermissionsGuesty provides each integrator with a specific permission type. Each permission type defines which requests the integrator will be able to use in the Guesty API.The permission type is provided to the integrator during the initial setup phase. Internal integrations are provided with complete access to the API and therefore should only be used internally and should never be shared with external services.